Home page logo

dailydave logo Dailydave mailing list archives

Re: smaller errors eroding situational awareness.
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Wed, 21 Aug 2013 10:12:34 +1000


The core issue here is related to compliance, not security.

For instance, PCI DSS v2.0 Requirement 6.2 mandated that a "High" Risk
vulnerability .. *may* include a CVSS base score of 4.0 or above, ..."
[emphasis added].

Therefore, the likelihood of an unschedule outage from implementing a
patch and/or workaround for a low or medium severity is outweighed by
their risk appetite (i.e. lack of  maturity within the culture of the
end user to support the processes related to the implementation of
workarounds and/or patching of vulnerabilities of low and medium

Hence, the end user's definition of a "high" risk vulnerability can be
reclassified as a much higher CVSSv2 Base Score than 4.0 because PCI
DSS permits this.

On Sat, Aug 17, 2013 at 6:32 AM, Anton Chuvakin <anton () chuvakin org> wrote:
of prioritization for vulnerabilities. I've seen to many organizaitons
debate a CVSS score with our support team so they can get it moved off
of their mandate to patch everything with a CVSS score of X or higher.

This, BTW, is NOT a joke :-)   In essence, many of these organization
will likely NOT learn any lessons from the directory traverse ownage,
apart from "NVD can be wrong."  If they can fix/patch  500
vulns/month, but their VA tool shows them 1000 Hs, 5000 Ms and
infinity of Ls a week, their patching strategy won't suddenly change
to "fix all Hs, Ms and Ls."  Exploitability may help them a bit, but I
doubt it will "solve the problem."  After all, the Low severity vuln
of "system responds to pings" is ...ahemmm.. exploitable as you can
actually send the damn ping :-)

Christian Heinrich

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]